Hi, Vijay. Thanks for the response.
> On May 28, 2015, at 12:38 PM, vijay kn <vijay...@huawei.com> wrote: > > The only problem I see is if the Gw-1 rekeyed with group19 but GW2 does not > support Group19 then it can result in traffic loss. For this, the > administrators of the two devices must ensure that the other end supports > this algorithm before using the same in pfs configuration. > This is the issue for me. Of course the root cause is the configuration mismatch (that they have no common group for PFS). We usually expect configuration mismatches to show up immediately rather than hours down the line. Ideally, the original tunnel setup would have failed. In fact, with IKEv1 where keying IPsec SAs is always done in Quick Mode you get the failure immediately. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec